Staten Island Barnes & Noble affected by security breach
Executive Summary: Credit card swiping machines in 63 stores of Barnes & Noble have been tampered with, and customers’ sensitive financial information may have been stolen. The company calls this tampering a “sophisticated criminal effort” to steal confidential information. Customers are being advised to check their bank accounts for any suspicious activities. According to Barnes & Noble, only one card swiping machine in each of the 63 locations has been tampered with. What happened is that criminals planted bugs in those tampered machines. When customers swipe their cards, their card numbers along with PIN numbers will be captured. However, the company fails to mention how long the bugs have been planted before discovery. Fortunately, any purchases made on the company’s website are not affected by this incident.
Analysis: In retail environment, there is constant traffic coming in and out of the stores. From the control standpoint, it is really hard to keep track of who is doing what. Of course, I would argue that there must be cameras at the register, but cameras are not really helpful in catching this kind of activity. Therefore, a better way to prevent this kind of incident from happening is to train employees to keep an eye on any suspicious activities and, if appropriate, either take prompt action or inform supervisors. In addition, registers should be located in high traffic area, so that those machines cannot be tampered with. Also, there should be a company policy requiring cashiers to stand by their registers at all times. When the register is closed, the swiping machine should be taken away to avoid public access. Unfortunately, the article did not mention anything related to PCI-DSS compliance issue. http://www.silive.com/news/index.ssf/2012/10/staten_island_barnes_noble_aff.html
Executive Summary:
Credit card swiping machines in 63 stores of Barnes & Noble have been tampered with, and customers’ sensitive financial information may have been stolen. The company calls this tampering a “sophisticated criminal effort” to steal confidential information. Customers are being advised to check their bank accounts for any suspicious activities. According to Barnes & Noble, only one card swiping machine in each of the 63 locations has been tampered with. What happened is that criminals planted bugs in those tampered machines. When customers swipe their cards, their card numbers along with PIN numbers will be captured. However, the company fails to mention how long the bugs have been planted before discovery. Fortunately, any purchases made on the company’s website are not affected by this incident.
Analysis:
In retail environment, there is constant traffic coming in and out of the stores. From the control standpoint, it is really hard to keep track of who is doing what. Of course, I would argue that there must be cameras at the register, but cameras are not really helpful in catching this kind of activity. Therefore, a better way to prevent this kind of incident from happening is to train employees to keep an eye on any suspicious activities and, if appropriate, either take prompt action or inform supervisors. In addition, registers should be located in high traffic area, so that those machines cannot be tampered with. Also, there should be a company policy requiring cashiers to stand by their registers at all times. When the register is closed, the swiping machine should be taken away to avoid public access. Unfortunately, the article did not mention anything related to PCI-DSS compliance issue.
http://www.silive.com/news/index.ssf/2012/10/staten_island_barnes_noble_aff.html